Public cloud should have a common set of agreed global security criteria so customers can assess the integrity of cloud service providers, and those providers should be open and honest in their dealings with customers, Don Smith, VP of Engineering & technology EMEA at SecureWorks told ITP.net at the Dell Tech Camp in London.

"Cloud providers have to do their piece, they have to be open and honest about what they are doing already to secure the cloud. There needs to be a common set of agreed audit criteria for providers, [the industry]could come together and agree to follow an ISO 27000 or FAS 170 or whatever, to have a common way of establishing a depth and strength view of the cloud provider. If you don't take a holistic look at the provider, if you don't understand who their people are, what their technology is then you are not able to genuinely assess their security stance," said Smith.

According to Smith, public cloud does present some security challenges, but those challenges are actually old technical challenges, delivered in a new context. Five or six years ago, traditional enterprises could rely on the hard country perimeter, so did not practice security to the breadth and depth that was needed.

"Along comes the cloud and SaaS and public cloud with IaaS and you can no longer rely on that single very high wall outside your fortress, you have to make sure you have locks on every door, that you have guards on every street. In terms of security technologies there is a lot of stuff out there that can be deployed to protect the application, that can be deployed to protect the OS, protect the network and it is just a matter of bringing these technologies to bear," said Smith.

The very first thing any potential public cloud customer should investigate when looking at a cloud provider is the important interfaces; how does the provider stand things up if identity is involved, if the provider is provisioning accounts with SaaS, how do they do that and how do they get odd information out of the stack.

"If you don't have the fingers of visibility into the service provider then you are going to be blind right from the start. You should clearly ask for their standard statement of the security controls they have in place. Trust is the key thing that has to be established ,you have to trust your cloud provider," said Smith.

Public cloud customers are also very concerned about who is accessing their data, and a lot of the discussions SecureWorks has with customers are around who its own staff are, and what access they have to company data. .

Despite concerns by many large companies on the security of the cloud, Smith said that now is the right time to begin using public cloud, initially for development tests, QA environments. However, before production data goes into any external facility, proper risk assessments have to be conducted and customers have to be confident in the security of the cloud. Smith said that there is no reason why some of the aspects of the engineering side of IT operations can't be conducted in the cloud and that there are many, many large companies that are doing significant amounts of business with the large cloud service providers.

"My belief is the boat is sailing and there is no point in trying to swim around in front of it, it is definitely sailing and it is better to be aware of the fact that cloud is upon us and take measures to protect yourself than it is to bury your head in the sand and say this is not happening for two or three years," he said.

One of the advantages to large corporations of using cloud is the speed at which new IT infrastructures and applications can be up and running.

"If you are a middle manager in a large enterprise and you speak to IT and say you have a special project, you would like to set up a dozen servers, IT come back and say you have to go through change management, have to do security reviews, we will give you the service in nine months time, when you really need that up and running in a week. Then you take your Visa card and go to service providers like Amazon or Dell and you have got it today," said Smith.

This rapid deployment and efficiency is creating worries at the level of internal enterprise IT departments, which may be doing an excellent job but cannot compete with cloud capabilities in either speed of implementation or cost-effectiveness.

"There is a certain amount of trepidation in the internal IT organisation thinking ‘hang on a minute where is my job going to be in four years time?' I think as in a lot of things, the security aspects of cloud, they are real, but I think people are sometimes using them as a lifebelt because change is bad, but evolution and change is inevitable," said Smith.

According to Smith, IT people are conservative by their very natures and security people even more so, trepidation around the implementation of public cloud is a natural public stance. He said that organisations are also unwilling to be the ones to stick their head above the parapet, so even if they are already using the cloud for test environments. "People don't want fingers to be pointed at them. You don't want to be the next front-page news story saying they are adopting cloud," he said.